E-Authentication is ready to go live

'I have authorization to operate in a live environment.' 'E-Authentication Project Manager Stephen Timchak

Olivier Douliery

The E-Authentication Gateway has been cleared for use. And the Office of Management and Budget is developing policies to make sure agencies can use it.

Agency CIOs for about a month have been reviewing federal guidance that outlines levels of identification and verification, said Mark Forman, OMB's associate director for IT and e-government.

'There are four levels of transactions that require different levels of identity within the four citizen-centered groupings,' Forman said earlier this month at the FOSE 2003 conference in Washington. 'We have to get the policy right, and we have to get the E-Authentication right. That is why we created the project.'

OMB is waiting to hear from CIOs before releasing the policy for public comment, Forman said.

In the meantime, the General Services Administration is progressing quickly to get the E-Authentication Gateway out to the agencies.

'I have authorization to operate in a live environment,' Stephen Timchak, E-Authentication project manager, said last week at the RSA 2003 Security Conference in San Francisco.

The gateway will provide a common path for authenticating users of e-government applications. It underlies the 24 other OMB Quicksilver initiatives, relieving agencies of having to develop their own authentication apps.

'All of them require user authentication,' said Tice DeYoung, NASA's project leader for the E-Authentication Gateway architecture project. 'We think if we support the 24 initiatives, we have taken a large step toward supporting much broader electronic government.'

Timchak said his team this month completed certification and accreditation of the gateway. He expects to make full production services available by early next year.

OMB's policy outlines four levels of authentication assurance for organizations that issue credentials, he said. Three of the four assurance levels OMB is proposing include requirements for a secure Web site, for using personal identification number and password control, and for using digital certificates, one agency CIO said.

Mapping risk

Each credential will map to one of the four assurance levels, and each e-government app will decide which level of assurance to require from a particular user based on risk.

The agency CIO said federal employees may be required to hold the highest level of certification to use the gateway.

The gateway, hosted by Mitretek Systems Inc. of Falls Church, Va., will maintain a list of trusted credentials.

The E-Authentication Gateway is separate from the Federal Bridge Certification Authority, which cross-certifies agency public-key infrastructures. PKI authentication will be a subset of the e-Authentication Gateway.

GSA's Judith Spencer, head of the Federal PKI Steering Committee, said the federal bridge will provide a validation path for the gateway to authenticate certificates at the higher assurance levels.

Before e-government transactions can take place over the open Internet, citizens as well as companies, agencies and other organizations must be sure whom they are dealing with.

A lack of such assurance doomed the Social Security Administration's efforts in 1997 to put Personal Earnings and Benefits Statements online.

'We have had limited success with electronic services' since PEBES was taken offline, said Kent Weitkamp, senior analyst in SSA's Office of Electronic Services.

Users who access an e-government application will be redirected to the gateway for authentication, Mitretek senior engineer Monette Respress said. The company is testing four gateway architectures with different protocols and technologies.

'We always envisioned that 'single gateway' is a virtual term, not a physical one,' Respress said. 'We have brought in multiple architectures and multiple protocols' that will interoperate.

About the Authors

William Jackson is freelance writer and the author of the CyberEye blog.